MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.

11.10.11

Phoenix Exploit's Kit is a package with more continuity in crime scene crimeware. After all this tour is currently in the wild version 2.8 that, despite having a low activity since the last half of this year, remains one of the many Exploit Pack with greater preference for cyber-criminals.

Perhaps this "slack time" to have your response in high demand now has another crimeware of this style, which is arguably one of the players today: Black Hole Exploit Pack.

However, PEK has a similar licensing model, where the last version was released with an "alternative" to buy. This is Phoenix Exploit's Kit 2.8 mini. Let us look briefly this alternative to crime which we could access through our Offensive Security Service CrimewareAttack.

The licensing model consists in the version Simple domain closed at a cost of USD 2.200, another version Multithreaded domain also closed to USD 2.700 and an extra-encryption service USD 40 (ReFUDing), already present from several versions back as part of the "added value".

PEK Access Panel 2.8. Like previous versions, respects its policy of authentication through a single factor defined by a password that checks its integrity through its MD5 hash.

Basically this new version does not change its characteristics, at least in regards to its graphical interface and functionality in relation to previous versions. Each section shows the same flow crimeware and type of statistical information, minimalist yet concise, this being, though trivial, one of the main reasons for the adoption of Phoenix by cyber-criminals. Simply find the information they need to increase the level of success and attack strategies, and merge the functionality of this Exploit Pack with some Malware Kit as SpyEye or ZeuS.

What is the difference between full version and the mini version?
Basically, the business around licensing model above. In the case of the mini version, the model is subject to a domain under the simple mode, while the full version allows multitasking.

Perhaps this model does not say much in this way, but the reason for their existence is based on the possibility of using different business affiliates with different profiles from the full licensing model. In this way, criminals can expand its business coverage. While with the mini version is limited to a single user profile.

What is new about the exploits?
Basically not much. Everything happens for optimizing the code for exploits a success rate effective in the process of exploitation, adding the exploit for Java Runtime Environment to Trusted.

Also removed were the following exploits pre-compiled in version 2.7:

Windows Help and Support Center Protocol Handler Vulnerability – CVE-2010-1885

Integer overflow in the AVM2 abcFile parser in Adobe Flash Player – CVE-2009-1869

From M86 Security Lab have published this summer "Phoenix Exploit Kit (2.7) Continues to be updated", describing the methodology of obfuscation that had already been using earlier versions. With this modification, the author sought to prevent monitoring of components of PEK and discover its structure, for example, during the research process.

Although it’s basically the same exploits (similar in all cases, including those incorporating other Exploits Pack in the wild), the author's optimized for each version. In this case, includes the following exploits:

Despite the optimization of the components for each version exploits, is striking and interesting that chain optimization and updating MDAC exploit remains the most domination, not only in this Exploit Pack it in any of the existing. What is the reason? Just a lack of maturity on the users (application, customers around the basic procedures update) that transforms him into a potential target and highly drinkable through this old, but effective vulnerability.

More information about Inside Phoenix Exploit’s Pack in other versions:

The graph shows some of the domains that the creators of Phoenix Exploit's Kit used in 2011.

Review of the components that are part of Phoenix Exploit's Kit 2.8 mini version

Simple statistics. The typical first screen displayed when accessing PEK. Display data of interest to cybercriminals uqe groups are behind its management: Browser (and version) most exploited, the number of compromised machines and exploits with the highest rate of success.

Advanced statistics. Information with a broader level of detail regarding compromised browsers and operating systems, along with information on the rate of success for each one of them.

Countries statistics. Information similar to the panels above but relevant data on the countries concerned.

Although some aspects of "subtle", the truth is that virtually PEK changes in each version, and perhaps its simplicity of use is the key for which is still alive in a criminal environment where demand and competition is very strong. As in conventional business, but... the criminal side.